<%#
kind: finish
name: Windows default finish
model: ProvisioningTemplate
oses:
- Windows Server 2008
- Windows Server 2008 R2
- Windows Server 2012
- Windows Server 2012 R2
- Windows
test_on:
- windows10_dhcp
description: |
  A finish template executed at the end of Windows provisioning. For more information, please
  see https://community.theforeman.org/t/windows-provisioning-made-easy/16756

  This template accepts the following parameters:
  - windowsLicenseKey: ABCDE-ABCDE-ABCDE-ABCDE-ABCDE # Valid Windows license key
  - windowsLicenseOwner: Company, INC # Legal owner of the Windows license key
  - localAdminAccountDisabled: false
  - ntpServer: time.windows.com,other.time.server
  - domainAdminAccount: joinuser@domain.com # please do not use the domain administrator
  - domainAdminAccountPasswd: Password for the domain Admin account
  - computerOU: OU=Computers,CN=domain,CN=com # Place the computer account in specified Organizational Unit
  - computerDomain: domain.com # domain to join
  - machinePassword: used for unsecure domain join. needs precrated computer object (New-ADComputer)
  - foremanDebug: false
  - skip-puppet-setup: boolean (default=false)

  Information about unsecure domain join
  https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/add-computer?view=powershell-5.1#example-9--add-a-computer-to-a-domain-using-predefined-computer-credentials
-%>
<%
  # safemode renderer does not support unary negation
  puppet_enabled = !host_param_true?('skip-puppet-setup') && (host_puppet_server.present? || host_param_true?('force-puppet'))
  salt_enabled = host_param('salt_master').present?
  chef_enabled = @host.respond_to?(:chef_proxy) && @host.chef_proxy
  network_location = host_param('networklocation', 'Private')
%>

@echo off
<% unless host_param('localAdminAccountDisabled') -%>
echo Activating administrator
net user administrator /active:yes
<% end -%>

<% if @host.pxe_build? -%>
set ctr=0
set nettimeout=10
<% end -%>

<%= snippet 'windows_network' %>

<% if host_param('ntpServer') -%>
echo Setting time server
w32tm /config /manualpeerlist:<%= host_param('ntpServer') %> /syncfromflags:manual /update
<% end -%>

echo Syncing time
w32tm /resync

<% if host_param('computerDomain') -%>
<% if host_param('domainAdminAccount').present? && host_param('domainAdminAccountPasswd').present? -%>
echo Performing secure domain join
powershell.exe -OutputFormat text -command Add-Computer -DomainName '<%= host_param('computerDomain') -%>' -Credential (New-Object -TypeName System.Management.Automation.PSCredential '<%= host_param('domainAdminAccount') -%>', (ConvertTo-SecureString -String '<%= host_param('domainAdminAccountPasswd') -%>' -AsPlainText -Force))<% if host_param('computerOU').present? -%> -OUPath '<%= host_param('computerOU') -%>'<% end -%>
<% else -%>
<% if host_param('machinePassword').present? -%>
echo Performing unsecure domain join
powershell.exe -OutputFormat text -command Add-Computer -Domain '<%= host_param('computerDomain') -%>' -Options UnsecuredJoin,PasswordPass -Credential (New-Object -TypeName System.Management.Automation.PSCredential $null, (ConvertTo-SecureString -String '<%= host_param('machinePassword') -%>' -AsPlainText -Force))
<% end -%>
<% end -%>
<% end -%>

<% if host_param('localAdminAccountDisabled') -%>
echo Disabling %tempAdminUser%
net user %tempAdminUser% %tempAdminUser% /active:no
<% end -%>

<% if host_param('http-proxy').present? -%>
cmd /C "netsh winhttp set proxy <%= host_param('http-proxy') %>:<%= host_param('http-proxy-port') %>"
<% end -%>

<% unless host_param('computerDomain') -%>
powershell /c "Get-NetConnectionProfile -InterfaceAlias \"Ethernet0\" | Set-NetConnectionProfile -NetworkCategory <%= network_location %>"
<% end -%>

<% if host_param('ansible_user').present? -%>
<% if host_param_true?('create_ansible_user') -%>
powershell /c "set-localuser -name <%= host_param('ansible_user') %> -passwordneverexpires 1"
<% end -%>
powershell /c "Enable-PSRemoting"
cmd /c "netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in localport=5985 protocol=TCP action=allow"
cmd /c winrm set winrm/config/service @{AllowUnencrypted="true"}
cmd /c winrm set winrm/config/client/auth @{Basic="true"}
cmd /c winrm set winrm/config/service/auth @{Basic="true"}
<% end -%>

<% if host_param('ping') -%>
cmd /c "netsh advfirewall firewall add rule name=\"Enable IPv4 ICMP\" dir=in protocol=icmpv4 action=allow"
<% end -%>

<% if host_param('remote_desktop') -%>
cmd /c "netsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes"
cmd /c "netsh advfirewall firewall set rule group=\"remotedesktop\" new enable=Yes"
<% end -%>

<% if puppet_enabled -%>
echo Downloading Puppet installer
wget "<%= host_param('win_puppet_source') %>" -O C:\puppet-agent-latest.msi
echo Installing Puppet
start /w "" msiexec /qn /i C:\puppet-agent-latest.msi PUPPET_AGENT_STARTUP_MODE=Manual PUPPET_SERVER=<%= host_puppet_server -%> PUPPET_CA_SERVER=<%= host_puppet_ca_server -%> PUPPET_AGENT_ACCOUNT_DOMAIN=<%= @host.domain -%> PUPPET_AGENT_ACCOUNT_USER=administrator PUPPET_AGENT_ACCOUNT_PASSWORD="<%= host_param('domainAdminAccountPasswd') -%>"
echo Setting Puppet to auto start
sc config puppet start= auto
sc query puppet
<% end -%>

<% if !host_param_true?('foremanDebug') -%>
echo Rebooting in 60 sec
shutdown /r /t 60

echo Removing wimaging files
rd /s /q c:\wimaging
sdelete.exe -accepteula -p 2 c:\Windows\Panther\unattend.xml
sdelete.exe -accepteula -p 2 C:\Windows\Setup\Scripts\SetupComplete.cmd

echo Removing leftover directories
rd /s /q c:\MININT
rd /s /q c:\drivers
rd /s /q c:\updates

<% if puppet_enabled -%>
echo Removing Puppet installer
sdelete.exe -accepteula -p 2 C:\puppet-agent-latest.msi
<% end -%>

echo Removing deploy directory
rd /s /q c:\deploy

<% end -%>
